DoD Expands Purchasing System Reviews to Include Cybersecurity Compliance

The Defense Department recently announced that it will be including contractor compliance with the DFARS (DoD FAR Supplement) rules regarding cybersecurity (DFARS 252.204-7012).

DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, requires contractors and subcontractors to implement National Institute of Standards and Technology (NIST) standards for protecting controlled unclassified information in non-federal information systems and organizations, as a means to safeguard DoD's  controlled unclassified information (CUI) that is processed, stored or transmitted on the contractor's (or subcontractor's) internal unclassified information system or network. Contractors are required to flow down this clause in subcontracts for which subcontract performance will involve CUI.

The DFARS clause is lengthy but in general, it requires adequate security systems and protections (which are defined in detail), cyber incident reporting to DoD, procedures to follow when malicious software is discovered, media protection, cyber incident damage assessment, and more.

The Under Secretary of Defense for Acquisition and Sustainment has now given the task of assuring compliance with this regulation to DCMA (Defense Contract Management Agency) who will include compliance coverage within their regularly scheduled CPSRs (Contractor Procurement System Reviews). The intent of the review (or audit) is to

• Review contractor procedures to ensure contractual DoD requirements for marking and distribution statements on DoD CUI flow down appropriately to their suppliers, and
• Review contractor procedures to assess compliance of the suppliers with the DFARS requirements.

DCMA has not yet revised its CPSR policies and procedures for this added coverage. When they do, we'll provide a link. In the meantime, contractors, subcontractors, and other supply-chain firms need to self-assess their level of compliance with the requirements and take whatever corrective action is necessary to ensure full compliance.

The full DoD announcement can be found here.

New DoD Reporting Rule for "Cyber Incidents"

DoD published an interim rule this week requiring contractors and subcontractors to report cyber incidents that result in an actual or potentially adverse effect on a covered contractor information system or covered defense information residing therein, or on a contractor's ability to provide operationally critical support. It also allows DoD personnel access to equipment and information to assess the impact of reported penetrations. This rule implements a provision in the 2015 National Defense Authorization Act (NDAA) and you can read the full text by clicking here.

What are operationally critical contractors", "covered contractor information systems" and "covered defense information"? We need a few definitions.

Compromise means disclosure of information to unauthorized persons, or a violation of the security policy of a system, in which unauthorized intentional or unintentional disclosure, modification, destruction, or loss of an object, or the copying of information to unauthorized media may have occurred.

Cyber incident means actions taken through the use of computer networks that result in a compromise or an actual or potentially adverse effect on an information system and/or the information residing therein.

Covered contractor information system means an information system that is owned, or operated by or for, a contractor that processes, stores, or transmits covered defense information.

Covered defense information means unclassified information that is provided to the contractor by or on behalf of DoD in connection with performance of the contract or collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract and is controlled technical information, operations security information, export control information, or any other information marked or otherwise identified in the contract.

There is significantly more to this interim rule than covered here. If you think you might be a covered contractor (or subcontractor) you need to become familiar with it and if necessary, contact your ACO (Administrative Contracting Officer) for assistance in understanding and complying with the new rules including the specifics for reporting cyber incidents.That's the ACO's job. Don't hesitate to call them. If you do not know your ACO, use the DCMA search app to find the name.